SharePoint Online Azure ACS Retirement
Hi All,
A few Years ago i wrote an Article on how to Grant Access to a Entra App in Sharepoint to upload Files to a SharePoint Site with PnP.PowerShell
I wanted to do the same thing and there is a big red bar on top, that informs about the Azure ACS Retirement in April 2026.
Starting April 2, 2026, Azure Access Control service (ACS) usage will be retired for SharePoint in Microsoft 365 and users will no longer be able to create or use Azure ACS principals to access SharePoint. Learn more about the Access Control retirement
You can still add Permissions to SharePoint
https://[tenant].sharepoint.com/sites/[siteName]/_layouts/appinv.aspx
And review them here
https://[tenant].sharepoint.com/sites/[siteName]/_layouts/15/appprincipals.aspx
- Azure ACS retirement in Microsoft 365 Azure ACS will stop working for new tenants as of November 1st, 2024 and it will stop working for existing tenants and will be fully retired as of April 2nd, 2026.
- SharePoint Add-In retirement in Microsoft 365 SharePoint Add-Ins will stop working for new tenants as of November 1st, 2024 and they will stop working for existing tenants and will be fully retired as of April 2nd, 2026
Assessment
They recommend to run the Microsoft 365 Assessment tool
I’ve created an Entra ID Application with the required Permissions
Application
- Graph: Sites.Read.All
- Graph: Application.Read.All
- SharePoint: Sites.Read.All
Delegated
- Graph: Sites.Read.All
- Graph: Application.Read.All
- Graph: User.Read
- SharePoint: AllSites.Read
The SharePoint Permissions are a little bit tricky, you need to select “API’s my organization uses” and then search for “Office 365 SharePoint Online”
Now you can select the Permission
I’ve used Application Permission and granted Admin Consent
Using a Certificate for Authentication
Starting Assessment
Now i am able to start the Assessment with the M365 Assessment Tool
microsoft365-assessment.exe start --mode AddInsACS --authmode application --tenant icewolfch.sharepoint.com --applicationid 52b87847-5a39-42b1-9119-790a6c275069 --certpath "My|CurrentUser|07EFF3918F47995EB53B91848F69B5C0E78622FD"
Now there are a bunch of Commands that you can use
microsoft365-assessment.exe status
microsoft365-assessment.exe list
microsoft365-assessment.exe stop
Report
With the ID of the Scan you can Export CSV Files
microsoft365-assessment.exe report --id d088bed0-9ebe-4a27-93f6-2d8b5600505c --mode CsvOnly --path "c:\Scripts\reports"
You will get a bunch of CSV Files
Or you can Create a PowerBI Report that opens up PowerBI Desktop
microsoft365-assessment.exe report --id d088bed0-9ebe-4a27-93f6-2d8b5600505c
Changes
Testing current Access
Testing current Access
###############################################################################
# Upload file to SharePoint with PnP.PowerShell
# 23.01.2022 - Andres Bohren
###############################################################################
#Variables
$AppID = "0d1c73de-c74d-4b06-8a35-e53c8e190258" #AADUsers
$ClientSecret = "YourClientSecret"
$SiteURL = "https://icewolfch.sharepoint.com/sites/IcewolfDemo/"
$FileURL = "Freigegebene Dokumente/AADExport/AADUsers.csv"
#Connect-PnPOnline
Write-Output "Connect-PnPOnline"
Connect-PnPOnline -Url $SiteURL -ClientId $AppID -ClientSecret $ClientSecret -WarningAction Ignore
#Get-PnPContext
#Items in Folder
$RelativeURL = "Freigegebene Dokumente/AADExport"
$Items = Get-PnPFolderItem -FolderSiteRelativeUrl $RelativeURL
$Items
#Upload File
$CSVFile = "C:\GIT_WorkingDir\PowerShellScripts\SharePoint\AADUsers.csv"
Write-Output "Uploading CSV to Sharepoint"
$FolderObject = Get-PnPFolder -Url $RelativeURL
$Upload = Add-PnPFile -Path $CSVFile -Folder $FolderObject
If ($Upload -ne $null)
{
Write-Output "File sucessfully uploaded"
}
Remove Application
Remove the Application Access from Sharepoint
https://[tenant].sharepoint.com/sites/[siteName]/_layouts/15/appprincipals.aspx
Testing after the Application has been removed
#Variables
$AppID = "0d1c73de-c74d-4b06-8a35-e53c8e190258"
$ClientSecret = "YourClientSecret"
$SiteURL = "https://icewolfch.sharepoint.com/sites/IcewolfDemo/"
$FileURL = "Freigegebene Dokumente/AADExport/AADUsers.csv"
#Connect-PnPOnline
Write-Output "Connect-PnPOnline"
Connect-PnPOnline -Url $SiteURL -ClientId $AppID -ClientSecret $ClientSecret -WarningAction Ignore
#Get-PnPContext
#Items in Folder
$RelativeURL = "Freigegebene Dokumente/AADExport"
$Items = Get-PnPFolderItem -FolderSiteRelativeUrl $RelativeURL
Get-PnPAzureAdAppSitePermission
Now we check the Permission with Get-PnPAzureAdAppSitePermission. As you can see there are no Permissions.
Logged in with the New Entra ID App for Sharepoint Register-PnPEntraIDApp
#Connect-PnPOnline with SharePoint App (Sharepint Administrator)
Connect-PnPOnline -Url "https://icewolfch.sharepoint.com/sites/IcewolfDemo/" -ApplicationId "7bc9048b-ba56-4fe0-9b52-ba8f8a6e18a6" -Tenant "icewolfch.onmicrosoft.com" -Thumbprint "55ebadf1a14df8e088ef985730a8cfb01749400c"
#Get Permission
Get-PnPContext
Get-PnPAzureAdAppSitePermission
Get-PnPAzureADAppSitePermission -AppIdentity "0d1c73de-c74d-4b06-8a35-e53c8e190258" #AADExport
Get-PnPAzureADAppSitePermission -Site "https://icewolfch.sharepoint.com/sites/DemoTemplate"
Grant-PnPAzureADAppSitePermission
Now we add the Permission to the SharePoint Site with PnP.Powershell Grant-PnPAzureADAppSitePermission
#Grant Permission
Grant-PnPAzureADAppSitePermission -AppId "0d1c73de-c74d-4b06-8a35-e53c8e190258" -DisplayName "AADExport" -Permissions FullControl -Site "https://icewolfch.sharepoint.com/sites/IcewolfDemo"
If we check the AppPermission now, we can see an entry
Get-PnPAzureAdAppSitePermission
By the way, the ID is Base64 Encoded and can be Decoded with the following PowerShell code
$SitePermission = Get-PnPAzureADAppSitePermission -Site "https://icewolfch.sharepoint.com/sites/IcewolfDemo"
$id = $SitePermission.id
[System.Text.Encoding]::ascii.GetString([System.Convert]::FromBase64String($id))
Checking if the Code works again
#Variables
$AppID = "0d1c73de-c74d-4b06-8a35-e53c8e190258" #AADUsers
$ClientSecret = "YourClientSecret"
$SiteURL = "https://icewolfch.sharepoint.com/sites/IcewolfDemo/"
$FileURL = "Freigegebene Dokumente/AADExport/AADUsers.csv"
#Connect-PnPOnline
Write-Output "Connect-PnPOnline"
Connect-PnPOnline -Url $SiteURL -ClientId $AppID -ClientSecret $ClientSecret -WarningAction Ignore
#Get-PnPContext
#Items in Folder
$RelativeURL = "Freigegebene Dokumente/AADExport"
$Items = Get-PnPFolderItem -FolderSiteRelativeUrl $RelativeURL
$Items
#Upload File
$CSVFile = "C:\GIT_WorkingDir\PowerShellScripts\SharePoint\AADUsers.csv"
Write-Output "Uploading CSV to Sharepoint"
$FolderObject = Get-PnPFolder -Url $RelativeURL
$Upload = Add-PnPFile -Path $CSVFile -Folder $FolderObject
If ($Upload -ne $null)
{
Write-Output "File sucessfully uploaded"
}
Remove Permission
Just to be complete, i’ve added here the Code how to remove the Permission for an Entra App from a SharePoint Site
#Remove Permission
$SitePermission = Get-PnPAzureADAppSitePermission -Site "https://icewolfch.sharepoint.com/sites/IcewolfDemo"
$id = $SitePermission.id
Revoke-PnPAzureAdAppSitePermission -PermissionId $ID
Get-PnPAzureAdAppSitePermission
Disable Azure ACS
When all Applications have been migrated you can Activate the SharePoint Tenant Parameter “DisableCustomAppAuthentication”
PowerShell 5
Connect-SPOService -Url https://icewolfch-admin.sharepoint.com
Get-SPOTenant | fl DisableCustomAppAuthentication
PowerShell 7 gives us an error - even the Module is installed
Get-InstalledPSResource Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Connect-SPOService -Url https://icewolfch-admin.sharepoint.com
You need to Import the Module in PowerShell 7 as PowerShell 5 Module
Import-Module Microsoft.Online.SharePoint.PowerShell -UseWindowsPowerShell -WarningAction SilentlyContinue
Connect-SPOService -Url https://icewolfch-admin.sharepoint.com
Get-SPOTenant | fl DisableCustomAppAuthentication
DisableCustomAppAuthentication
Set-SPOTenant -DisableCustomAppAuthentication $true
Get-SPOTenant | fl DisableCustomAppAuthentication
Adoption
After the DisableCustomAppAuthentication the Script get’s a 401 Unauthorized Error.
#Variables
$AppID = "0d1c73de-c74d-4b06-8a35-e53c8e190258"
$ClientSecret = "YourClientSecret"
$SiteURL = "https://icewolfch.sharepoint.com/sites/IcewolfDemo/"
$FileURL = "Freigegebene Dokumente/AADExport/AADUsers.csv"
#Connect-PnPOnline
Write-Output "Connect-PnPOnline"
Connect-PnPOnline -Url $SiteURL -ClientId $AppID -ClientSecret $ClientSecret -WarningAction Ignore
#Get-PnPContext
#Items in Folder
$RelativeURL = "Freigegebene Dokumente/AADExport"
$Items = Get-PnPFolderItem -FolderSiteRelativeUrl $RelativeURL
The Entra Application has to be extended with the two Permissions:
- Sharepoint: Sites.Selected
- Graph: Sites.Selected
Then you need to Grant Admin Consent
On the Application i needed to switch from ClientSecret to Certificate and add the Tenant Parameter
Connect-PnPOnline -Url <SharePointSiteURL> -ClientId <AzureAppID> -Thumbprint <CertThumbprint> -Tenant "<Tenant>.onmicrosoft.com"
###############################################################################
# Upload file to SharePoint with PnP.PowerShell
# 23.01.2022 - Andres Bohren
###############################################################################
#Variables
$AppID = "0d1c73de-c74d-4b06-8a35-e53c8e190258"
$Thumbprint = "07EFF3918F47995EB53B91848F69B5C0E78622FD"
$SiteURL = "https://icewolfch.sharepoint.com/sites/IcewolfDemo/"
$FileURL = "Freigegebene Dokumente/AADExport/AADUsers.csv"
$Tenant = "icewolfch.onmicrosoft.com"
#Connect-PnPOnline
Write-Output "Connect-PnPOnline"
Connect-PnPOnline -Url $SiteURL -ClientId $AppID -Thumbprint $Thumbprint -Tenant $Tenant -WarningAction Ignore
#Get-PnPContext
#Items in Folder
$RelativeURL = "Freigegebene Dokumente/AADExport"
$Items = Get-PnPFolderItem -FolderSiteRelativeUrl $RelativeURL
$Items
#Upload File
$CSVFile = "C:\GIT_WorkingDir\PowerShellScripts\SharePoint\AADUsers.csv"
Write-Output "Uploading CSV to Sharepoint"
$FolderObject = Get-PnPFolder -Url $RelativeURL
$Upload = Add-PnPFile -Path $CSVFile -Folder $FolderObject
If ($Upload -ne $null)
{
Write-Output "File sucessfully uploaded"
}
Summary It’s quite a Job to Analyze current ACS and AddIns, then figure out what has to be changed, bevore the Azure ACS can be disabled on the SharePoint Tenant with the DisableCustomAppAuthentication Parameter. It took me a while in my Tenant to understand and adopt. This will even take more Time in an Enterprise with a large Number of SharePoint Sites and Applications that have Access to Sharepoint somehow.
Regards
Andres Bohren